The Obama administration is threatening to veto legislation that would give private companies broad legal immunity for sharing cybersecurity information with the government. The White House detailed the changes it is seeking to the Cyber Intelligence Sharing and Protection Act (CISPA) in a Tuesday statement.

The legislation, which was sponsored by Rep Mike Rogers (R-MI), is due for a vote in the House of Representatives this week. A version of the legislation passed the House a year ago, but companion legislation was defeated by a Senate filibuster.

Rather than giving the government the power to directly regulate private networks, CISPA focuses on encouraging private companies to share security-related information with each other and the government. The legislation limits the liability of private companies that engage in such information-sharing.

More safeguards needed?

Civil liberties groups such as the American Civil Liberties Union oppose the legislation. Supporters have made changes to the bill to mollify critics. But in a Friday blog post, the ACLU described the latest version as "fatally flawed." They worry that the broad limitations on liability offered by CISPA will undermine legal safeguards for Americans' privacy. The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information—including personal information—with other companies, or with the government, as long as it "pertains" to cybersecurity.

The White House's Tuesday statement echoes many of the ACLU's concerns. "The bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities," the administration said. "Citizens have a right to know that corporations will be held accountable—and not granted immunity—for failing to safeguard personal information adequately."

Another hot-button issue is whether information will be shared with civilian bureaucrats at the Department of Homeland Security or with military agencies such as the National Security Agency. The current draft of CISPA would have companies share information with the NSA. But in the Obama administration's view, "newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security."

Finally, the White House expressed concern about the "broad scope" of the immunity CISPA grants to companies sharing information. "The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage," the Obama administration argues.

Ryan Radia, a policy analyst at the libertarian Competitive Enterprise Institute, is also skeptical of the legislation. In a phone interview with Ars, Radia questioned the legislation's basic approach. Radia doesn't object to making it easier for companies to share security information. But he believes that rather than offering firms blanket immunity from all of the nation's privacy laws, Congress should identify and amend specific privacy laws, like the Wiretap Act and the Stored Communications Act, that could hinder information sharing. In his view, this case-by-case approach is less likely to eviscerate important privacy safeguards.

Some House Democrats also oppose the legislation. Four of them penned a "dear colleague" letter arguing that CISPA "unacceptably and unnecessarily compromises the privacy interests of Americans online."

“We have come a long way”

Informed of the White House's veto threat, the bill's sponsor described it as "flabbergasting."

"I do not believe the administration knows how to work with a legislative body," Rep. Rogers said. "We have come a long way on some of their points."

In comments widely reported on Twitter, Rogers emphasized that the proposal was supported by Silicon Valley CEOs. And he suggested that the typical opponent was a "14-year-old tweeter in the basement." The Electronic Frontier Foundation seized on the statement, urging its more than 112,000 followers to "tell him how wrong he is by tweeting to @RepMikeRogers."

Timothy B. Lee
Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times. Emailtimothy.lee@arstechnica.com//Twitter@binarybits

Even if the opposition is all basement-dwelling 14-year-olds, it doesn't matter. They're still US citizens, and therefore should have a voice. I know, not voting age and all. Just reeks of ageism to me.

It's rough living in Eric Cantor's district. I just called to register my displeasure but it felt pretty pointless. If there's an issue I care about, this ass-hat is guaranteed to be on the wrong side of it.

Wait, a group of wolves is FOR legislation that makes it easier for wolves to prey on sheep? I don't understand why that would be so. And I don't get the sheep being AGAINST it, either. Can someone explain this to me in politically correct terms?

The checks from the lobbyists will bounce if the law does not pass! Of course the lawmakers are all worked up about it. And what's a good public policy debate if you can't throw insults and attempt to discredit your opponents with irrational, unfounded, characterizations. Welcome to the new America. Public service, meet Reality TV.

Even if the opposition is all basement-dwelling 14-year-olds, it doesn't matter. They're still US citizens, and therefore should have a voice. I know, not voting age and all. Just reeks of ageism to me.

Oh, but it makes so much more sense to have a bunch of 75 year olds to vote on decisions that affect modern technology.

For a news article this is surprisingly lacking any specifics on the language of the bill. There isn't even a point by point he said she said of the contentious issues. Pretty useless if I am supposed to form an opinion on the current for of the proposal from this article based on the proposal itself. According the the article the critics don't agree with each other on why it should be opposed, this appearance may or may not reflect reality but it sure would be nice to deal in facts and specifics.

From the beginning of the article:"The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information"Translation: The bill shares too much information

"The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage"Translation: The bill doesn't require enough sharing of information

Which is it? Does it allow too much sharing or not share enough? What does it do?

Even if the opposition is all basement-dwelling 14-year-olds, it doesn't matter. They're still US citizens, and therefore should have a voice. I know, not voting age and all. Just reeks of ageism to me.

Oh, but it makes so much more sense to have a bunch of 75 year olds to vote on decisions that affect modern technology.

Ageist! 75-year-olds forward snopes-failing chain emails to each other and use the Clapper. They totally get technology.

For a news article this is surprisingly lacking any specifics on the language of the bill. There isn't even a point by point he said she said of the contentious issues. Pretty useless if I am supposed to form an opinion on the current for of the proposal from this article based on the proposal itself. According the the article the critics don't agree with each other on why it should be opposed, this appearance may or may not reflect reality but it sure would be nice to deal in facts and specifics.

From the beginning of the article:"The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information"Translation: The bill shares too much information

"The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage"Translation: The bill doesn't require enough sharing of information

Which is it? Does it allow too much sharing or not share enough? What does it do?

Yes, surprising isn't it, when a news article presents both sides of a story and doesn't tell you which one you are expected to adopt as your point of view.

I think the premise of the article is not how you should feel about the legislation so much as just letting peeps know that they are being called names by a politician.

Wait, a group of wolves is FOR legislation that makes it easier for wolves to prey on sheep? I don't understand why that would be so. And I don't get the sheep being AGAINST it, either. Can someone explain this to me in politically correct terms?

It's simple really, by attaching a GPS tracking device to all sheep and providing billions of dollars to the wolves, the wolves can accurately track all the sheep, their preferences for food, their tastiness for consumption and how horrible they are. It means less random killings of sheep to feed the pack as they can target with more precision and they'll only take the bad sheep. And obviously they won't ever want to go after you, you're a smart sheep who wouldn't do anything wrong, so why are you worried about it, what are you hiding?

Plus if you ever happen to become a cannibal, these same protections will work for your sheep eating habits to, so really it makes sense for all involved. Plus, wolves aren't really that bad of a sheep either, just because they're a wolf in sheep's clothing doesn't make them instantly bad. They might be children. Why do you hate children?

Well, yes, the 'it is now totally legal to share basically any customer data you want with anyone you want, regardless of any prior restrictions, as long as you mention "security" while doing so' part isn't one of the points we came a long way on; but our revision of three run-on sentences and a split infinitive was so damn bipartisan it hurts... Why can't we compromise???

I'm left trying to figure out what exactly is wrong with basement-dwelling 14 year-olds. I mean, they' re minors. Where else are they going to live?

Exactly. Any 14 year old that has a decently sized basement to themselves is living pretty large. I know of plenty of places that charge a pretty penny to rent out a basement. I'd say that a basement dwelling 14 year old is doing pretty well for themselves.

Interesting. If you read most TOS/EULA's/And other legal crap end users always have to sign they basically absolve the corportation of any actions against them and if it doesn't do that outright they usually have a provision that they can change the terms at anytime without notifying you and then later add things in there saying you cannot take actions. In addition they usually let you know they will share all your information with 3rd parties as they see fit.

This move to add it to law seems to me to be telling all this legal gobbly-gook we have been agreeing to blindly may actually hold very little legal weight and may in fact be unenforceable.

For a news article this is surprisingly lacking any specifics on the language of the bill. There isn't even a point by point he said she said of the contentious issues. Pretty useless if I am supposed to form an opinion on the current for of the proposal from this article based on the proposal itself. According the the article the critics don't agree with each other on why it should be opposed, this appearance may or may not reflect reality but it sure would be nice to deal in facts and specifics.

From the beginning of the article:"The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information"Translation: The bill shares too much information

"The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage"Translation: The bill doesn't require enough sharing of information

Which is it? Does it allow too much sharing or not share enough? What does it do?

I might be wrong, but I read it as two different types of "information." In the first instance, we're talking personal information about individuals (bad to share without restriction). In the second, I think it's talking about sharing information in general, not necessarily personal information, that would prevent some harm if known by others.

For a news article this is surprisingly lacking any specifics on the language of the bill. There isn't even a point by point he said she said of the contentious issues. Pretty useless if I am supposed to form an opinion on the current for of the proposal from this article based on the proposal itself. According the the article the critics don't agree with each other on why it should be opposed, this appearance may or may not reflect reality but it sure would be nice to deal in facts and specifics.

From the beginning of the article:"The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information"Translation: The bill shares too much information

"The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage"Translation: The bill doesn't require enough sharing of information

Which is it? Does it allow too much sharing or not share enough? What does it do?

While I somewhat agree that the article could do a better job of summarizing the problems with this bill, it contains 9 links to supplemental reading if you want to dig deeper.

Here is Mike Roger's contact page. He only allows emails from his own district (via a zip code check), but you can use the address he uses as his office to get past that check (just a bit down the page from the zip code box).

Let this douche-nozzle know what you think of him calling you a basement dwelling 14 year old...

I'm the retired CIO of a meduim sized public company recently gerrymandered into Rep. Roger's district. I wrote a long detailed email outlining why this is a bad idea for most corporations and offering to help him understand this issue better. I didn't get more than an automated "got the message" response. I'm pretty far past being a basement dwelling 14 year old. He is too stubborn or too ashamed to pull this legislation back or more likely in somebody's pocket.

Um, the problem is the government requesting information for "classified" reasons. How can you place blame on the private companies giving in to pressure from the government?! Then the government says it's not our fault the private company gave us the information. They should stop giving us the info we are requesting!? Set yourself on fire Washington DC.

Is anyone really surprised given that the former chair of the United States Senate Committee on Commerce, Science and Transportation thought that Netflix traffic was causing his "internets" (emails, actually) to be delayed for a day? None of these guys is interested in learning about anything; a lobbyist tells them to take a position, and they take it. It's when they try to justify it without reading the briefing memo that hilarity ensues.

For a news article this is surprisingly lacking any specifics on the language of the bill. There isn't even a point by point he said she said of the contentious issues. Pretty useless if I am supposed to form an opinion on the current for of the proposal from this article based on the proposal itself. According the the article the critics don't agree with each other on why it should be opposed, this appearance may or may not reflect reality but it sure would be nice to deal in facts and specifics.

From the beginning of the article:"The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information"Translation: The bill shares too much information

"The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage"Translation: The bill doesn't require enough sharing of information

Which is it? Does it allow too much sharing or not share enough? What does it do?

I think the concern is that the legislation would immunize companies for both actions&mdash;both for sharing information they'd otherwise be prohibited from sharing (like private communications, personal data) <i>and</i> for negligently failing to disclose relevant information (information about imminent threats perhaps). Critics don't think companies should be let off the hook for either type of misconduct.